CVE-2025-58434
Published: 12 September 2025
Summary
CVE-2025-58434 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Flowiseai Flowise. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Account (T1087.004); ranked in the top 3.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-5 (Authenticator Management).
Deeper analysis
Flowise, an open-source drag-and-drop interface for building customized LLM flows, contains an authentication bypass in its password-reset functionality. In versions 3.0.5 and earlier, the unauthenticated `forgot-password` endpoint returns a valid `tempToken` and other account details for any supplied user, affecting both the hosted service at cloud.flowiseai.com and any self-hosted or local deployment that exposes the same API. The issue is tracked as CWE-306 and carries a CVSS 3.1 score of 9.8.
An unauthenticated attacker can invoke the endpoint with an arbitrary username or email to obtain a working reset token, then immediately change the target account’s password and achieve full account takeover. Because the endpoint performs no identity verification and returns the token directly in the response, the attack requires no prior access, credentials, or user interaction.
The vulnerability was addressed in commit 9e178d68873eb876073846433a596590d3d9c863, released in version 3.0.6. The advisory recommends that password-reset tokens never be returned in API responses, that they be delivered only through the registered email channel, that the endpoint always reply with a generic success message, and that tokens be single-use, short-lived, and bound to the original request context. The same controls should be applied to both cloud and self-hosted instances, and password-reset activity should be logged for anomaly detection. The current EPSS score of 0.3236 shows no material post-disclosure rise.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29069
Vulnerability details
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentication or verification. This…
more
enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO). This vulnerability applies to both the cloud service (`cloud.flowiseai.com`) and self-hosted/local Flowise deployments that expose the same API. Commit 9e178d68873eb876073846433a596590d3d9c863 in version 3.0.6 secures password reset endpoints. Several recommended remediation steps are available. Do not return reset tokens or sensitive account details in API responses. Tokens must only be delivered securely via the registered email channel. Ensure `forgot-password` responds with a generic success message regardless of input, to avoid user enumeration. Require strong validation of the `tempToken` (e.g., single-use, short expiry, tied to request origin, validated against email delivery). Apply the same fixes to both cloud and self-hosted/local deployments. Log and monitor password reset requests for suspicious activity. Consider multi-factor verification for sensitive accounts.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: flowise, large language model
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated forgot-password endpoint leaks reset tokens for arbitrary users, enabling cloud account discovery via response differences (T1087.004), exploitation of public-facing application (T1190), and account takeover for valid cloud account abuse (T1078.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 requires secure management and distribution of authenticators like password reset tempTokens, preventing their exposure in unauthenticated API responses and mandating delivery via secure channels such as email with validation like single-use and expiry.
AC-14 explicitly limits actions performable without identification or authentication, ensuring the forgot-password endpoint only returns generic success messages without issuing valid reset tokens to unauthenticated users.
IA-6 mandates obscuring authentication feedback, such as generic responses to forgot-password requests, to prevent information disclosure, user enumeration, and exploitation leading to account takeover.